Tuesday, March 2, 2010

Gmail Security Enhancements Expected...

Google will roll out a number of security enhancements to Gmail this week, says a source with knowledge of the new features. The changes are specifically designed to cut down on phishing and hacking attacks on Gmail accounts. There are two specific changes that we’ve heard Google is implementing. The first is a secondary line of defense when a user has lost his or her password. If a Gmail account is accessed from a new computer, the user will have the option of receiving a text message with a new one time use pass key. They then enter that pass key into Gmail to authenticate themselves and lock out any bad users with access to the account. Google is also possibly implementing a different version of OAuth for its contacts exporter (something often used by other services to import Gmail contacts). It’s likely to be OAuth Wrap, an easier to implement version of OAuth. If developers can be convinced to use it instead of harvesting and storing user credentials, there’s less of a security hole. These changes are likely in response to the Chinese security incident from earlier this year. A secondary line of security for users would have avoided the Twitter documents leak from last year, which originally started with a guessed Gmail password and spiraled out of control from there. This isn’t confirmed and Google hasn’t responded yet to our email, but we’ll update with any further information.